Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

inetutils: CVE-2019-0053

Related Vulnerabilities: CVE-2019-0053  

Source

Debian Bug report logs - #945861
inetutils: CVE-2019-0053

version graph

Package: src:inetutils; Maintainer for src:inetutils is Guillem Jover <guillem@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 29 Nov 2019 23:33:02 UTC

Severity: normal

Tags: security, upstream

Found in versions inetutils/2:1.9.4-7, inetutils/2:1.9.4-2, inetutils/2:1.9.4-10

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Guillem Jover <guillem@debian.org>:
Bug#945861; Package src:inetutils. (Fri, 29 Nov 2019 23:33:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Guillem Jover <guillem@debian.org>. (Fri, 29 Nov 2019 23:33:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: inetutils: CVE-2019-0053
Date: Sat, 30 Nov 2019 00:32:16 +0100
Source: inetutils
Version: 2:1.9.4-10
Severity: important
Tags: security upstream
Control: found -1 2:1.9.4-7
Control: found -1 2:1.9.4-2

Hi,

The following vulnerability was published for inetutils, the CVE
description on MITRe might be missleading as it indicates it is
somehow related to Juniper only. But see other refernces, [1] and [2].

CVE-2019-0053[0]:
| Insufficient validation of environment variables in the telnet client
| supplied in Junos OS can lead to stack-based buffer overflows, which
| can be exploited to bypass veriexec restrictions on Junos OS. A stack-
| based overflow is present in the handling of environment variables
| when connecting via the telnet client to remote telnet servers. This
| issue only affects the telnet client &amp;#8212; accessible from the
| CLI or shell &amp;#8212; in Junos OS. Inbound telnet services are not
| affected by this issue. This issue affects: Juniper Networks Junos OS:
| 12.3 versions prior to 12.3R12-S13; 12.3X48 versions prior to
| 12.3X48-D80; 14.1X53 versions prior to 14.1X53-D130, 14.1X53-D49; 15.1
| versions prior to 15.1F6-S12, 15.1R7-S4; 15.1X49 versions prior to
| 15.1X49-D170; 15.1X53 versions prior to 15.1X53-D237, 15.1X53-D496,
| 15.1X53-D591, 15.1X53-D69; 16.1 versions prior to 16.1R3-S11,
| 16.1R7-S4; 16.2 versions prior to 16.2R2-S9; 17.1 versions prior to
| 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R2-S7, 17.2R3-S1; 17.3
| versions prior to 17.3R3-S4; 17.4 versions prior to 17.4R1-S6,
| 17.4R2-S3, 17.4R3; 18.1 versions prior to 18.1R2-S4, 18.1R3-S3; 18.2
| versions prior to 18.2R1-S5, 18.2R2-S2, 18.2R3; 18.2X75 versions prior
| to 18.2X75-D40; 18.3 versions prior to 18.3R1-S3, 18.3R2; 18.4
| versions prior to 18.4R1-S2, 18.4R2.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-0053
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0053
[1] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:12.telnet.asc
[2] https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/inetutils-telnet.txt

Regards,
Salvatore

Marked as found in versions inetutils/2:1.9.4-7. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 29 Nov 2019 23:33:04 GMT) (full text, mbox, link).

Marked as found in versions inetutils/2:1.9.4-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 29 Nov 2019 23:33:05 GMT) (full text, mbox, link).

Severity set to 'normal' from 'important' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 30 Nov 2019 12:33:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Nov 30 20:50:39 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started